[PATCH] Audit filter rule operators (2/2)
Timothy R. Chavez
tinytim at us.ibm.com
Mon Oct 24 16:13:34 UTC 2005
On Friday 21 October 2005 18:24, Dustin Kirkland wrote:
> This is the kernel space component of this patch.
>
> This patch defines the bitmask values of each of the 6 comparators (and
> includes a nice documentation chart explaning how they were chosen).
>
> It also adds a new function, audit_comparator(left, op, right). This
> function will perform the specified comparison (op, which defaults to
> "==" for backward compatibility) between two values (left and right).
> If the negate bit is on, it will negate whatever that result was. This
> value is returned.
I just have one nit/comment below, Dustin.
<snip>
> diff -urpbBN linux-2.6.14-rc4/include/linux/audit.h
> linux-2.6.14-rc4-audit_ops/include/linux/audit.h
> --- linux-2.6.14-rc4/include/linux/audit.h 2005-10-19 09:40:27.000000000 -0500
> +++ linux-2.6.14-rc4-audit_ops/include/linux/audit.h 2005-10-21 18:05:43.000000000 -0500
> @@ -128,8 +128,29 @@
> #define AUDIT_ARG2 (AUDIT_ARG0+2)
> #define AUDIT_ARG3 (AUDIT_ARG0+3)
>
> -#define AUDIT_NEGATE 0x80000000
> +/* These are the supported operators.
> + 4 2 1
> + > < =
> + -------
> + 0 0 0 0 undef
> + 0 0 1 1 =
> + 0 1 0 2 <
> + 0 1 1 3 <=
> + 1 0 0 4 >
> + 1 0 1 5 >=
> + 1 1 0 6 !=
> + 1 1 1 7 range
> + */
> +#define AUDIT_OPERATORS 0xF0000000
> +#define AUDIT_EQUAL 0x10000000
> +#define AUDIT_LESS_THAN 0x20000000
> +#define AUDIT_LESS_THAN_OR_EQUAL 0x30000000
> +#define AUDIT_GREATER_THAN 0x40000000
> +#define AUDIT_GREATER_THAN_OR_EQUAL 0x50000000
> +#define AUDIT_NOT_EQUAL 0x60000000
> +#define AUDIT_RANGE 0x70000000
>
> +#define AUDIT_NEGATE 0x80000000
>
> /* Status symbols */
> /* Mask values */
> diff -urpbBN linux-2.6.14-rc4/kernel/auditsc.c linux-2.6.14-rc4-audit_ops/kernel/auditsc.c
> --- linux-2.6.14-rc4/kernel/auditsc.c 2005-10-19 09:40:29.000000000 -0500
> +++ linux-2.6.14-rc4-audit_ops/kernel/auditsc.c 2005-10-21 18:08:32.000000000 -0500
> @@ -385,6 +385,36 @@ int audit_receive_filter(int type, int p
> return err;
> }
>
> +static int audit_comparator(const u32 left, const u32 operator, const u32 right)
> +{
> + int rc;
> + switch (operator) {
> + case AUDIT_LESS_THAN:
> + rc = (left < right);
> + break;
> + case AUDIT_LESS_THAN_OR_EQUAL:
> + rc = (left <= right);
> + break;
> + case AUDIT_GREATER_THAN:
> + rc = (left > right);
> + break;
> + case AUDIT_GREATER_THAN_OR_EQUAL:
> + rc = (left >= right);
> + break;
> + case AUDIT_NOT_EQUAL:
> + rc = (left != right);
> + break;
> + case AUDIT_EQUAL:
> + default:
> + rc = (left == right);
> + break;
> + }
Do we really want to default undefined operations to AUDIT_EQUAL. I'd expect an error.
-tim
More information about the Linux-audit
mailing list